Documentation
¶
Index ¶
- Constants
- Variables
- func CheckAAL(f *Flow, expected identity.AuthenticatorAssuranceLevel) error
- func GetIdentifierLabelFromSchema(ctx context.Context, schemaURL string) (*text.Message, error)
- func GetIdentifierLabelFromSchemaWithField(ctx context.Context, schemaURL string, trait string) (*text.Message, error)
- func PostHookExecutorNames(e []PostHookExecutor) []string
- type APIFlowResponse
- type ErrorHandler
- type ErrorHandlerProvider
- type Flow
- func (f *Flow) AddContinueWith(c flow.ContinueWith)
- func (f *Flow) AfterFind(*pop.Connection) error
- func (f *Flow) AfterSave(*pop.Connection) error
- func (f *Flow) AppendTo(src *url.URL) *url.URL
- func (f *Flow) ContinueWith() []flow.ContinueWith
- func (f *Flow) EnsureInternalContext()
- func (f *Flow) GetFlowName() flow.FlowName
- func (f Flow) GetID() uuid.UUID
- func (f *Flow) GetInternalContext() sqlxx.JSONRawMessage
- func (f Flow) GetNID() uuid.UUID
- func (f *Flow) GetRequestURL() string
- func (f *Flow) GetState() flow.State
- func (t *Flow) GetTransientPayload() json.RawMessage
- func (f *Flow) GetType() flow.Type
- func (f *Flow) GetUI() *container.Container
- func (f *Flow) IsRefresh() bool
- func (f Flow) MarshalJSON() ([]byte, error)
- func (f *Flow) SecureRedirectToOpts(ctx context.Context, cfg config.Provider) (opts []x.SecureRedirectOption)
- func (f *Flow) SetInternalContext(bytes sqlxx.JSONRawMessage)
- func (f *Flow) SetReturnTo()
- func (f *Flow) SetReturnToVerification(to string)
- func (f *Flow) SetState(state flow.State)
- func (f Flow) TableName(ctx context.Context) string
- func (f *Flow) ToLoggerField() map[string]interface{}
- func (f *Flow) Valid() error
- func (f Flow) WhereID(ctx context.Context, alias string) string
- type FlowOption
- type FlowPersistenceProvider
- type FlowPersister
- type FormHydrator
- type FormHydratorModifier
- type FormHydratorOptions
- type Handler
- func (h *Handler) FromOldFlow(w http.ResponseWriter, r *http.Request, of Flow) (*Flow, error)
- func (h *Handler) NewLoginFlow(w http.ResponseWriter, r *http.Request, ft flow.Type, opts ...FlowOption) (*Flow, *session.Session, error)
- func (h *Handler) RegisterAdminRoutes(admin *x.RouterAdmin)
- func (h *Handler) RegisterPublicRoutes(public *x.RouterPublic)
- type HandlerProvider
- type HookExecutor
- type HookExecutorProvider
- type HooksProvider
- type LinkableStrategy
- type PostHookExecutor
- type PreHookExecutor
- type State
- type Strategies
- type Strategy
- type StrategyFilter
- type StrategyProvider
- type UnifiedFormHydrator
Constants ¶
View Source
const ( RouteInitBrowserFlow = "/self-service/login/browser" RouteInitAPIFlow = "/self-service/login/api" RouteGetFlow = "/self-service/login/flows" RouteSubmitFlow = "/self-service/login" )
Variables ¶
View Source
var ( ErrHookAbortFlow = errors.New("aborted login hook execution") ErrAlreadyLoggedIn = herodot.ErrBadRequest.WithID(text.ErrIDAlreadyLoggedIn).WithError("you are already logged in").WithReason("A valid session was detected and thus login is not possible. Did you forget to set `?refresh=true`?") ErrAddressNotVerified = herodot.ErrBadRequest.WithID(text.ErrIDAddressNotVerified).WithError("your email or phone address is not yet verified").WithReason("Your account's email or phone address are not verified yet. Please check your email or phone inbox or re-request verification.") // ErrSessionHasAALAlready is returned when one attempts to upgrade the AAL of an active session which already has that AAL. ErrSessionHasAALAlready = herodot.ErrUnauthorized.WithID(text.ErrIDSessionHasAALAlready).WithError("session has the requested authenticator assurance level already").WithReason("The session has the requested AAL already.") // ErrSessionRequiredForHigherAAL is returned when someone requests AAL2 or AAL3 even though no active session exists yet. ErrSessionRequiredForHigherAAL = herodot.ErrUnauthorized.WithID(text.ErrIDSessionRequiredForHigherAAL).WithError("aal2 and aal3 can only be requested if a session exists already").WithReason("You can not requested a higher AAL (AAL2/AAL3) without an active session.") )
View Source
var ErrBreakLoginPopulate = errors.New("skip rest of login form population")
View Source
var (
ErrUnknownTrait = herodot.ErrInternalServerError.WithReasonf("Trait does not exist in identity schema")
)
Functions ¶
func GetIdentifierLabelFromSchema ¶ added in v1.1.0
func GetIdentifierLabelFromSchemaWithField ¶ added in v1.1.0
func PostHookExecutorNames ¶
func PostHookExecutorNames(e []PostHookExecutor) []string
Types ¶
type APIFlowResponse ¶
type APIFlowResponse struct {
// The Session Token
//
// A session token is equivalent to a session cookie, but it can be sent in the HTTP Authorization
// Header:
//
// Authorization: bearer ${session-token}
//
// The session token is only issued for API flows, not for Browser flows!
Token string `json:"session_token,omitempty"`
// The Session
//
// The session contains information about the user, the session device, and so on.
// This is only available for API flows, not for Browser flows!
//
// required: true
Session *session.Session `json:"session"`
// Contains a list of actions, that could follow this flow
//
// It can, for example, this will contain a reference to the verification flow, created as part of the user's
// registration or the token of the session.
//
// required: false
ContinueWith []flow.ContinueWith `json:"continue_with"`
}
The Response for Login Flows via API
swagger:model successfulNativeLogin
type ErrorHandler ¶
type ErrorHandler struct {
// contains filtered or unexported fields
}
func NewFlowErrorHandler ¶
func NewFlowErrorHandler(d errorHandlerDependencies) *ErrorHandler
func (*ErrorHandler) PrepareReplacementForExpiredFlow ¶
func (s *ErrorHandler) PrepareReplacementForExpiredFlow(w http.ResponseWriter, r *http.Request, f *Flow, err error) (*flow.ExpiredError, error)
func (*ErrorHandler) WriteFlowError ¶
func (s *ErrorHandler) WriteFlowError(w http.ResponseWriter, r *http.Request, f *Flow, group node.UiNodeGroup, err error)
type ErrorHandlerProvider ¶
type ErrorHandlerProvider interface{ LoginFlowErrorHandler() *ErrorHandler }
type Flow ¶
type Flow struct {
// ID represents the flow's unique ID. When performing the login flow, this
// represents the id in the login UI's query parameter: http://<selfservice.flows.login.ui_url>/?flow=<flow_id>
//
// required: true
ID uuid.UUID `json:"id" faker:"-" db:"id" rw:"r"`
NID uuid.UUID `json:"-" faker:"-" db:"nid"`
OrganizationID uuid.NullUUID `json:"organization_id,omitempty" faker:"-" db:"organization_id"`
// Ory OAuth 2.0 Login Challenge.
//
// This value is set using the `login_challenge` query parameter of the registration and login endpoints.
// If set will cooperate with Ory OAuth2 and OpenID to act as an OAuth2 server / OpenID Provider.
OAuth2LoginChallenge sqlxx.NullString `json:"oauth2_login_challenge,omitempty" faker:"-" db:"oauth2_login_challenge_data"`
// HydraLoginRequest is an optional field whose presence indicates that Kratos
// is being used as an identity provider in a Hydra OAuth2 flow. Kratos
// populates this field by retrieving its value from Hydra and it is used by
// the login and consent UIs.
HydraLoginRequest *hydraclientgo.OAuth2LoginRequest `json:"oauth2_login_request,omitempty" faker:"-" db:"-"`
// Type represents the flow's type which can be either "api" or "browser", depending on the flow interaction.
//
// required: true
Type flow.Type `json:"type" db:"type" faker:"flow_type"`
// ExpiresAt is the time (UTC) when the flow expires. If the user still wishes to log in,
// a new flow has to be initiated.
//
// required: true
ExpiresAt time.Time `json:"expires_at" faker:"time_type" db:"expires_at"`
// IssuedAt is the time (UTC) when the flow started.
//
// required: true
IssuedAt time.Time `json:"issued_at" faker:"time_type" db:"issued_at"`
// InternalContext stores internal context used by internals - for example MFA keys.
InternalContext sqlxx.JSONRawMessage `db:"internal_context" json:"-" faker:"-"`
// RequestURL is the initial URL that was requested from Ory Kratos. It can be used
// to forward information contained in the URL's path or query for example.
//
// required: true
RequestURL string `json:"request_url" db:"request_url"`
// ReturnTo contains the requested return_to URL.
ReturnTo string `json:"return_to,omitempty" db:"-"`
// The active login method
//
// If set contains the login method used. If the flow is new, it is unset.
Active identity.CredentialsType `json:"active,omitempty" db:"active_method"`
// UI contains data which must be shown in the user interface.
//
// required: true
UI *container.Container `json:"ui" db:"ui"`
// CreatedAt is a helper struct field for gobuffalo.pop.
CreatedAt time.Time `json:"created_at" db:"created_at"`
// UpdatedAt is a helper struct field for gobuffalo.pop.
UpdatedAt time.Time `json:"updated_at" db:"updated_at"`
// CSRFToken contains the anti-csrf token associated with this flow. Only set for browser flows.
CSRFToken string `json:"-" db:"csrf_token"`
// Refresh stores whether this login flow should enforce re-authentication.
Refresh bool `json:"refresh" db:"forced"`
// RequestedAAL stores if the flow was requested to update the authenticator assurance level.
//
// This value can be one of "aal1", "aal2", "aal3".
RequestedAAL identity.AuthenticatorAssuranceLevel `json:"requested_aal" faker:"len=4" db:"requested_aal"`
// SessionTokenExchangeCode holds the secret code that the client can use to retrieve a session token after the login flow has been completed.
// This is only set if the client has requested a session token exchange code, and if the flow is of type "api",
// and only on creating the login flow.
SessionTokenExchangeCode string `json:"session_token_exchange_code,omitempty" faker:"-" db:"-"`
// State represents the state of this request:
//
// - choose_method: ask the user to choose a method to sign in with
// - sent_email: the email has been sent to the user
// - passed_challenge: the request was successful and the login challenge was passed.
//
// required: true
State State `json:"state" faker:"-" db:"state"`
// Only used internally
IDToken string `json:"-" db:"-"`
// Only used internally
RawIDTokenNonce string `json:"-" db:"-"`
// TransientPayload is used to pass data from the login to hooks and email templates
//
// required: false
TransientPayload json.RawMessage `json:"transient_payload,omitempty" faker:"-" db:"-"`
// Contains a list of actions, that could follow this flow
//
// It can, for example, contain a reference to the verification flow, created as part of the user's
// registration.
ContinueWithItems []flow.ContinueWith `json:"-" db:"-" faker:"-" `
// ReturnToVerification contains the redirect URL for the verification flow.
ReturnToVerification string `json:"-" db:"-"`
// contains filtered or unexported fields
}
Login Flow
This object represents a login flow. A login flow is initiated at the "Initiate Login API / Browser Flow" endpoint by a client.
Once a login flow is completed successfully, a session cookie or session token will be issued.
swagger:model loginFlow
func (*Flow) AddContinueWith ¶ added in v1.2.0
func (f *Flow) AddContinueWith(c flow.ContinueWith)
func (*Flow) ContinueWith ¶ added in v1.2.0
func (f *Flow) ContinueWith() []flow.ContinueWith
func (*Flow) EnsureInternalContext ¶
func (f *Flow) EnsureInternalContext()
func (*Flow) GetFlowName ¶ added in v1.1.0
func (*Flow) GetInternalContext ¶ added in v1.1.0
func (f *Flow) GetInternalContext() sqlxx.JSONRawMessage
func (*Flow) GetRequestURL ¶
func (*Flow) GetTransientPayload ¶ added in v1.2.0
func (t *Flow) GetTransientPayload() json.RawMessage
func (*Flow) IsRefresh ¶ added in v1.3.0
IsRefresh returns true if the login flow was triggered to re-authenticate the user. This is the case if the refresh query parameter is set to true.
func (Flow) MarshalJSON ¶
func (*Flow) SecureRedirectToOpts ¶ added in v1.0.0
func (*Flow) SetInternalContext ¶ added in v1.1.0
func (f *Flow) SetInternalContext(bytes sqlxx.JSONRawMessage)
func (*Flow) SetReturnTo ¶
func (f *Flow) SetReturnTo()
func (*Flow) SetReturnToVerification ¶ added in v1.2.0
func (*Flow) ToLoggerField ¶ added in v1.3.0
type FlowOption ¶ added in v0.11.0
type FlowOption func(f *Flow)
func WithFlowReturnTo ¶ added in v0.11.0
func WithFlowReturnTo(returnTo string) FlowOption
func WithFormErrorMessage ¶ added in v0.13.0
func WithFormErrorMessage(messages []text.Message) FlowOption
func WithInternalContext ¶ added in v1.1.0
func WithInternalContext(internalContext []byte) FlowOption
func WithIsAccountLinking ¶ added in v1.3.0
func WithIsAccountLinking() FlowOption
type FlowPersistenceProvider ¶
type FlowPersistenceProvider interface {
LoginFlowPersister() FlowPersister
}
type FlowPersister ¶
type FormHydrator ¶ added in v1.3.0
type FormHydrator interface {
PopulateLoginMethodFirstFactorRefresh(r *http.Request, sr *Flow) error
PopulateLoginMethodFirstFactor(r *http.Request, sr *Flow) error
PopulateLoginMethodSecondFactor(r *http.Request, sr *Flow) error
PopulateLoginMethodSecondFactorRefresh(r *http.Request, sr *Flow) error
// PopulateLoginMethodIdentifierFirstCredentials populates the login form with the first factor credentials.
// This method is called when the login flow is set to identifier first. The method will receive information
// about the identity that is being used to log in and the identifier that was used to find the identity.
//
// The method should populate the login form with the credentials of the identity.
//
// If the method can not find any credentials (because the identity does not exist) idfirst.ErrNoCredentialsFound
// must be returned. When returning idfirst.ErrNoCredentialsFound the strategy will appropriately deal with
// account enumeration mitigation.
//
// This method does however need to take appropriate steps to show/hide certain fields depending on the account
// enumeration configuration.
PopulateLoginMethodIdentifierFirstCredentials(r *http.Request, sr *Flow, options ...FormHydratorModifier) error
PopulateLoginMethodIdentifierFirstIdentification(r *http.Request, sr *Flow) error
}
type FormHydratorModifier ¶ added in v1.3.0
type FormHydratorModifier func(o *FormHydratorOptions)
func WithIdentifier ¶ added in v1.3.0
func WithIdentifier(i string) FormHydratorModifier
func WithIdentityHint ¶ added in v1.3.0
func WithIdentityHint(i *identity.Identity) FormHydratorModifier
type FormHydratorOptions ¶ added in v1.3.0
func NewFormHydratorOptions ¶ added in v1.3.0
func NewFormHydratorOptions(modifiers []FormHydratorModifier) *FormHydratorOptions
type Handler ¶
type Handler struct {
// contains filtered or unexported fields
}
func NewHandler ¶
func NewHandler(d handlerDependencies) *Handler
func (*Handler) FromOldFlow ¶
func (*Handler) NewLoginFlow ¶
func (*Handler) RegisterAdminRoutes ¶
func (h *Handler) RegisterAdminRoutes(admin *x.RouterAdmin)
func (*Handler) RegisterPublicRoutes ¶
func (h *Handler) RegisterPublicRoutes(public *x.RouterPublic)
type HandlerProvider ¶
type HandlerProvider interface {
LoginHandler() *Handler
}
type HookExecutor ¶
type HookExecutor struct {
// contains filtered or unexported fields
}
func NewHookExecutor ¶
func NewHookExecutor(d executorDependencies) *HookExecutor
func (*HookExecutor) PostLoginHook ¶
func (e *HookExecutor) PostLoginHook( w http.ResponseWriter, r *http.Request, g node.UiNodeGroup, f *Flow, i *identity.Identity, s *session.Session, provider string, ) (err error)
func (*HookExecutor) PreLoginHook ¶
func (e *HookExecutor) PreLoginHook(w http.ResponseWriter, r *http.Request, a *Flow) error
type HookExecutorProvider ¶
type HookExecutorProvider interface {
LoginHookExecutor() *HookExecutor
}
type HooksProvider ¶
type HooksProvider interface {
PreLoginHooks(ctx context.Context) []PreHookExecutor
PostLoginHooks(ctx context.Context, credentialsType identity.CredentialsType) []PostHookExecutor
}
type LinkableStrategy ¶ added in v1.1.0
type PostHookExecutor ¶
type PostHookExecutor interface {
ExecuteLoginPostHook(w http.ResponseWriter, r *http.Request, g node.UiNodeGroup, a *Flow, s *session.Session) error
}
type PreHookExecutor ¶
type State ¶ added in v1.1.0
Login Flow State
The state represents the state of the login flow.
- choose_method: ask the user to choose a method (e.g. login account via email) - sent_email: the email has been sent to the user - passed_challenge: the request was successful and the login challenge was passed.
swagger:model loginFlowState
type Strategies ¶
type Strategies []Strategy
func (Strategies) MustStrategy ¶
func (s Strategies) MustStrategy(id identity.CredentialsType) Strategy
func (Strategies) RegisterPublicRoutes ¶
func (s Strategies) RegisterPublicRoutes(r *x.RouterPublic)
func (Strategies) Strategy ¶
func (s Strategies) Strategy(id identity.CredentialsType) (Strategy, error)
type Strategy ¶
type Strategy interface {
ID() identity.CredentialsType
NodeGroup() node.UiNodeGroup
RegisterLoginRoutes(*x.RouterPublic)
Login(w http.ResponseWriter, r *http.Request, f *Flow, sess *session.Session) (i *identity.Identity, err error)
CompletedAuthenticationMethod(ctx context.Context) session.AuthenticationMethod
}
type StrategyFilter ¶ added in v1.1.0
type StrategyProvider ¶
type StrategyProvider interface {
AllLoginStrategies() Strategies
LoginStrategies(ctx context.Context, filters ...StrategyFilter) Strategies
}
type UnifiedFormHydrator ¶ added in v1.3.0
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.